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(57) The invention provides improved computer net- 
work firewalls which include one or more features for 
increased processing efficiency. A firewall in accord- 
ance with the invention can support multiple security 
policies multiple users or both, by applying any one of 
several distinct sets of access rules. The firewall can 
also be configured to utilize "stateful" packet filtering 
which involves caching rule processing results for one 
or more packets, and then utilizing the cached results 
to bypass rule processing for subsequent similar pack- 
ets. To facilitate passage to a user, by a firewall, of a 
separate later transmission which is properly in re- 
sponse to an original transmission, a dependency mask 
can be set based on session data items such as source 
host address, destination host address, and type of 
service The mask can be used to query a cache ol ac- 
tive sessions being processed by the firewall such that 
a rule can be selected based on the number of sessions 
that satisfy the query. Dynamic rules may be used in ad- 
dition to pre-loaded access rules in order to simplify rule 
processing. To unburden the firewall of application prox- 
ies, the firewall can be enabled to redirect a network ses- 
sion to a separate server for processing. 



( START 



901 — 



OBTAIN IP PACKET. 
EXTRACT SESSION KEY 



3l 



RULE SET \YES 
EXHAUSTED ? , 



DROP 
PACKET 







NO 


902— 


ADVANCE TO NEXT 


RULE SET ENTRY 



:> 



FIG. 9 



YES 



encyV 

cry- 



/dependency\no_ 

\ MASK "i 



FORM CACHE 
SEARCH STRUCTURE 



-903 



SEARCH CACHE, ACCUMULATING 

A COUNT OF MATCHES WITH 
THE CACHE SEARCH STRUCTURE 



— 904 



if HIT COUNT \ 
~\ REACHED ? / 



YES 



SELECT RULE AND 
905 — H ENTER A CORRESPONDING 
ENTRY !N THE CACHE 



Printed by Jouve. 75001 PARIS (FR) 



BNSDOCID: <EP 0909072A2J_> 



EP 0 909 072 A2 



w 



15 



25 



30 



35 



40 



45 



50 



55 



Description 

Field of the lnvAntir»r» 

Background of the Invention 



Summary of the Invention 
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for a specified time period, and a threshold rule which is used only when certain conditions are satisfied. Other types 
of dynamic mlS Tinclude rules which define a host group, such that the host group can be mod,f,ed to add or drop 

sr sizss:^ ^ can be ^ 
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SS CXuter network firewal.s of the present invention facilitate firewall processing ,n 
Stent applLtions For example, the invention may be implemented in a dial-up access gateway. Anothe exemptary 
embciimer^ of ^invention may be implemented in a distributed manner with a first portion of the f.rewa. 
m.n7twTrk and a second portion of the firewall resident in a set-top box, computer or other user termma ,n a home 
or bus ness The tatter embodiment can allow the firewall techniques of the invention to provide for example, oarentel 
^Tfrtemet and video access in the home. These and other features and advantages of the present ,nvent,on 
wiJbecome more apparent from the accompanying drawings and the following deta.led description. 



Brief Description of the Drawings 

[0013] Fig. 1 is a schematic of several user sites or domains connected to the .nternet via a local area network 
nrovidina firewall protection to the user sites. 

20 ^14] Fig. 2 is a schematic of a user site connected to the Internet and includ.ng .ntema. f.rewa.ls. 

[0015] Fig. 3 is a schematic which illustrates a rule table. 

r0016l Fiq 4 is a schematic which illustrates a cache. 

[0017] Figs. 5A and 5B in combination are an over-all flow chart of firewall processing for multiple domains. 

r0018] Fig 6 is a schematic which illustrates a domain table. 

2S [0019] Fig. 7 is a flow chart of an aspect of firewall processing for multiple domains. 

[0020] Fig. 8 is a schematic which illustrates a dependency mask. 

[0021] Fig 9 is a flow chart of dependency mask processing. 

[0022] Fig 1 0A is a flow chart of proxy reflection processing at the firewall. 

[0023] Fig 1 0B is a flow chart of proxy reflection processing at a remote proxy 
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Detailed Description 

r00241 The preferredtechniques can be implemented atafirewall for controlling the flow of data between, f°^xamPle^ 
Steloca^a ea networks (LANs) or subnets of a LAN. Exemplary embodiments of the .nvent.on are described 
r n Srms^ prieTJes. Efficient prototypes of such processes have ^ 
software using the -C" programming language for implementat.on on general-purpose PC hardwa re. Efl ta ency 
bfenhanced further, as is known, by special-purpose firmware or hardware computer system imp.ementations. 

1 Sup port for Multiple Security Domains 

[0025] With a capability for supporting multiple security domains, a single firewall can support m ^P^^^ 
K a separate security policy. Also, as different security policies can apply for ^^ aU ° n ^ ee0 MeS ' 
such a capability can be used within a site. Respective configurations are illustrated by Figs. 1 and 2. 
?M26l F hi four user sites 101 -104, e.g., of corporations A through D, with firewall protection ,n the r con- 
nections to the fnteme 1 05. Such protection is provided by a firewal. facility, here in the form of a LAN 10 .needing 
Jrewal orccesso s 111 113 and 114, an administrator processor 115, a router 116 and a web seiver 17. Each of 
ewa p SessoJ i3and 114 is dedicated to a single site, name,y respective sites 103 and 104. Firewal, processo 
1^ «~e the two sites 101 and 102. Firewall processor 111 implements separate firewal. pohces ,0 

Tach c^ the two s tes vis-a-vis the Internet 105, as well as for communications between the two sites. A process for 
"efer^^^^ 

SSTng" s^^te^'^nnected to the -nternet 105 via a firewal! processor 211 . An administrator 
S SO ril5 andTrouter 216 are connected to the firewa,. processor 211 The router 216 is connected to additional 
S ^l p ocessors 21 2 and 21 3 wh ich are internal to the user site 201 . The firewall processor 21 2 protects a single 
2 22^ such as Human Resources (HR). The firewall processor 21 3 is configured for protecting two sub-sites, 
sue as PayroMP^ ^nd Disbursements (D), vis-a-vis the remainder of the site 201 as we.l as 

Sons between sub-sites 221 and 222. This can be achieved by employing the process .llustrated by Figs. 5A and 

5B in the firewall processor 21 3. 
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E I. ?h7?, P , f S bS re P resen,ed b V sets of access rules which are represented in tabular form and 
cor ZZ Xa Tnun T ^ a t fireWa i' adminiStra,0r AS illuslrated - 3. such a tab.e can provide for cats 
can be £ 2 for ^' des ' 9nat,ons of source and destination hosts, a designation of a special service which 

oroxv ,™ S * 3 T*S 3 Specification of a " a <*°n t° be taken on a packet. Special services can include 
proxy services, network address translation, and encryption, for example. In Fig. 3, the categories "Source Host ■ 
Destination Host" and "Service" impose conditions which must be satisfied by datalncluded in a pacSfor Z ^ speck ed 

wh T mP ' e - applica,ion of a rule can be conditional on the time of day or day of the week 

» Th Vided ^ " , thS fUle tab ' e " irre ' eVant ln 3 C6rtain rU ' e ' the -rresponing tablfen ry can 
on Z , m WW card. This can apply to any one or any combination of the categories. In Fig 3 and elsewhere 
an astensk (*) ,s used for wild card entries. "FTP" stands for "file transfer protocol « elsewhere, 

£S , rU '. e P roce , ssin 9 for a P acket . the rules are applied sequentially until a rule is found which is satisfied by the 
packet (or un ,l the rule tab.e is exhausted, in which case the packet is dropped). For a packet to satisfy a ll each 
condition included in the rule must be met. For example, with reference to Fig 3, a packet from See host A S 

rule set categor.es ,n accordance with the invention. The t.rst five category names correspond to the categories Thown 
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Category Name 



Rule Number 

Source Host 
Destination Host 
Service 
Action 

Notify on Drop 

Cache Timeout 
Reset Session 

Rule Timeout 
Start Period 
End Period 

Kill Session at End of Period 

Dependency Mask 
In Interface 
Out Interface 
Audit Session 

Alarm Code 

Source Host Map Group 
^Source Host Map Type 
Destination Host Map Group 
Destination Host Map Type 
Service Map Group 

Service Map Type 
Max Use Total Count 

Max Use Concurrent Count 
Copy to Address 



Descrption 



Number of rule within domain. Rule numbers do not have to be unique but should 
generally represent a single service, such as FTP 
Source host group identifier or IP address 
Destination host group identifier or IP address 
Service group or protocol/destination port/source port 
Rule action e.g., "pass," "drop"; or "proxy" 

If "yet," an Internet Control Message Protocol (ICMP) message is sent out if action 
is "drop" 

Number od seconds of inactivity before session entry is removed from cache 
If "yes," for TCP sessions, send TCP reset to both ends of connection upon cache 
timeout 

Number of seconds of inactivity before rule is removed from rule list 
Start active period for rule 
End active period for rule 

If "yes" then any sessions authorized by this rule will be killed at the end of the 
time period 

Dependency mask name 

Interface name to match on reception 

Interface name to which packet is sent 

Audit record generation. If "yes" then audit record is generated at the beginning 

and again at the end of the session. 

Alarm code value to tie rule to particular alarms 

IP address or host group containing map-to host IP addresses 

Type of mapping to be performed, e.g., "pool" or "direct" 

IP address or host group containing map-to host IP addresses 

Type of mapping to be performed, e.g., "pool" or "direct" 

Service group containingmap-todestination port numbers or the destination port 

Protocol and source port in a referenced service group are ignored. 

Type of mapping to be performed, e.g., "pool" or "direct" 

Maximun number of times this rule may be used. The rule is removed after the 
limit is reached. 

Maximun of sessions authorized by this rule which may be active at a given time 
The rule is inactive until the count falls below the designated value. 
Address of application to which a copy of packet is sent. Used for session 
captures. 
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Category Name 



Tunnel Destination 
Tunnel Requirements 

IPSEC Requirements 

Sequence Number Randomize 
Syn Storm Protection 
Authorize Return Channel 



Descrption 



Set up a tunnel and send it to this destination address and protocol. A new IP 
header will be added to the packet. 

Indicates when tunneling is required. If "null" then no check is required. If "in" 
then incoming session must have been tunneled. If, "out" then initiate action to 
tunnel packet. If "both" then do both. 

Indicates when IP Security (IPSEC) processing is required. If "null" then nocheck 

is required If, "in" then incoming session must have been protected using IPSEC. 

If "out" then initiate action to add IPSEC protection. If "both" then do both. 

Option to randomize TCP sequence numbers. Default is "no." 

Provide protection from u syn storm" attacks. Default is "no." 

If "yes," initial packet will create forward and reverse channels in cache with same 

action. Default is "yes." 



2. Stateful Packet Filtering 

ro031l A computer network firewall in accordance with the invention can be configured to utilize "stateful" packet 
Sfrinq whichTproves performance by storing in a cache the results of ru.e processing as applied to one or mo 
oackets S ate Tpacket filtering may be implemented by caching rule processing results for received Packets, and 
fhe ^uSizt^g the cached results to bypass rule processing for subsequent similar packets. For example, 
appCaTrule set to a packet of a given network session may be cached, such that when a subsequent P^eUrom 
1 tm/nZork session arrives in the firewall, the cached results from the previous packet are used for the subse- 
Z^T^tIT^ fhe need to a PP .y the ru.e set to each mcoming packet, and thereby provides substantia, 

^T^^^^^^^o many times the number o, ru.es, efficient use of a cache may 
r^ufre indexing (using a hash table, for example). As illustrated by Fig. 4, the cache can include a ■session key 
Swl e addres^ information interface information, the number of the applicable rule, an alarm code, statistical in- 
torrS a n d a^ action. The session key includes at least one header item which was appended to fte 

data tc^e transmitted in the packet, and in an exemplary embodiment includes (i) the ^P™^ ^™ 
«Hrir^ r,h the IP destination address, (iii)the next-level protocol, e.g., transmission control protocol (TCP) or universal 
SlStSw the source port associated with the orotcco., and (v) the destination port assoc.atec with 
Z pro'ocd .t F°g 4 JoV the session key items (i) and (ii) are shown individually. Items (...) to (v) are represented by 

iSS" °!nThe fi!ewa5°a decision modu.e or engine, here called a "domain support engine" (DSE) determines which 
S Pol cy to use for a new network session. Each new session must be approved by the security pohc.es of the 
source domain and the destination domains). For connections going to the Internet, it is likely that only a -ingle Man 

! r ^ e ^75A a and 5B i.lustrate over-a.l flow for packet processing by a firewa.l which supports multiple domains, 
processing inches determining the domains which the packet is to cross, examining the applicable rules to 
ascerta n whether the packet may pass, and determining whether any special processing .s required. In the ^rewa^ 
Sch dTm^n L associated with o'ne or more network interfaces. Interfaces that support more than one doma.n are 
separated using an IP address range to distinguish the packets. The fo.low,ng steps are mcluded. 

501: an IP packet is received by the firewall at an interface; 

z.nc>- the session kev is obtained from the IP header of the packet; 

sS on the basis o^ which interface received the packet and the source IP address of the receded packet, the 
ZcZZT^lZ^e* as described separately be.ow with reference to Figs. 6 and 7; if no doma.n .s found, 

Z^f^^L step 502. the cache of the source domain is searched for a match; if a match is 
found r t hr C acheTnd if L action is not "drop," the process continues with step 505; if a match is found ,n the 
cache andthe^onTs "drop," the packet is dropped and the process returns to step 501 ; if no match ,s found .n 
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lotion's nord™-^ d ° mair V S SearChed '° r 3 ma,Ch; " 3 match is found in ,he rules and » the 
» ™1! n °V dr0p ' ,he process con "nues with step 505; if a match is found in the rules and the action is "drop « 

mSI i! r° h 9 t ^ ■? ClUd8d ln the CaChe ' ,he P3Cket is dropped " and the P roce ss returns to step 501 if no 
match is found .n the rules, the packet is dropped and the process returns to step 501 ■ 

™L» e H deS,lnat, ° n lnterf f ace is determined using the local area network (LAN) address of the packet and if the 
source domam rule speaf.es a destination interface, using that destination interface and a routing table- 

Lips "o sip 508 ma ' n IS ^ " ° f " deStinati ° n d ° main matCh6S ,he d0main jU5t Ch6Cked ' the p ™ es * 

507: cache look-up and, if required, rule set look-up for the destination domain are carried out in a manner anal- 
ogous to that employed for the source domain in step 504- manner anal 

toZ'a^T a T' ie , S t0 „ l he packet ca,ls for an address Change, e.g., to a proxy or for insertion of one packet 

509-Tthe ni 7 ° P ? >' Pr0C6SS re,UmS X ° ^ 505 f0r prOCessin9 based on the chan 9ed destination 

509. ,f the packet was not processed with respect to any domain, the packet can be dropped, as a firewall owner 

510 with r t ,n "r"" 9 COmmunications interfaces which are not subject to any access a les 

510. with all actons having resulted in "pass," the packet is sent out the appropriate network interface. 

[0035] For convenient linking of each network interface to a domain, a domain table is used In cases where an 

« ^z^^^r domains ' an — range is — This > — * » whic^r r 

Sng siep 7 s: iMUStrateS d ° main tab ' 6 Pr ° CeSSin9 35 performed in ste P s 5 °3 ™« 506 described above, including the 
701: the domain table is searched for a match of the interface name 

702: if matching table entry is found, and if the IP address range is present in the matching table entry the packet 

703: .f the end of the table is reached without a match having been found, no action is taken. 
30 3. Dependency Mask 

[0037] For protocols of the type which require a separate, additional network session from the outside back to the 
user, such as, for example, the protocol employed by RealAudio, a rule can include a conditTon i mlsk Ihm a^liws I 
connection back to a user, but only if there is a proper forward connection concurrently active e fconlcton in 

Z^^x^ on addresses are in ~ d as a — - - * a se~ P r y 

ESSL H e f ePend H r ' n aCCordance wi,h the inven tion can define a query directed to the session cache A 

wlS hP ™T by , ma, f J" 9 a " fie ' dS d6fined in the mask with ,h e corresponding fields in the cache Empty fie.ds 
within the mask are not used for comparison. t"'(jiy neias 

S^li d t Tr Cy maSk ^ be d6fined in 3 mle f0r ,he first packet of a ne 1work s ession, using (a) information 
tor mp^if I > S °Z Ce ' nterfaCe f ° r th3t PaCket and (C) one or several dependency conditions mat mus° oTme" 
the cache ^ ^ * ^ P3Cket ^ been PrOC6SSed by ,he firewal1 ' a responding entry is mad™ 
[0040] Fig. 8 shows rules with a dependency mask ("hit count") in a format similar to that of F.g 3 Special svmbols 

^Sna clZT* T^ 9 ^ namel * « a (., calling for inc.us.n of packet dTa o the 

responding category, and (n) a caret symbol (*) calling for inclusion of packet data from a certain different cateoorv 

lake? F " ""T" m T XGS nUmbSr °' ma,Ch6S WhiCh mUSt be ,0und in the -Che for ihe^JS^S^S 
taken. For example, ,n the dependency mask named "realaudio," a count o, 1 is used for passing UDP packets prodded 

[0041] Fig. 9 illustrates dependency mask processing including the following steps: 
901: the packet is obtained and the session key is extracted; 

902. the process steps through the rule set entries; if no match is found with a given rule the process advances 
match is found and the dependency mask field is null, the process skips to step 905- 

903: the packet and interface information may be included in the formation of a cache search structure e a a 
query; ,f a user authentication f.ag is set in the dependency mask, the corresponding flag is set in the cache search 
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SSI ' » S^^wJS-C^B - "« cou... m. ~* is seised and ,h a ac«on assoc^d 

reLrns to step 902 to find another rule; this is processing of the action portion of the rule as a f unct.on of the result 

of the query. 

in the session cache after processing of the first packet. 
4. Dynamic Rules 

rnrwai Dvnamic rules are rules which are included with the access rules as a need arises, tor processing along with 
SSeSS e g b ~i Pressing engine. Dynamic rules can inc.ude unique, current information such as, for 

T, ^SlTh . Ts«- The dynamic ,u,.s *» a given ,„.. «H lo b. mcditied based on evems nappen.ng ,n 

zxrs^^^^jzzz ~ * -* — — * — * "™ d iu ' 8 

[0044] txempiary aynamio iu.co ...^ roe . . which is used onlv when certain conditions are 

rsepara^rhanne. rule for use with a.l requests. As a resu.t, the ru.e specification and rule process.ng are s,m- 

plified, and security is improved. 

5. Proxy Reflection 

r00451 Proxy reflection in accordance with the present invention involves redirecting a network session to another, 
2, p oxy se^er for processing, and then later passing it back via the firewall to the intended des,.nat,on When 

mmwMW§mm 



» mT^^Zm™ cap..*,,, ,h. proxy applied r.o U e.,s Kon, „e 

" SS^TlW 11.™^ proving inching « .c**, steps ,, .he ,1,—: 



1001: packet is received by the firewall; 
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inTecacS T^T* determined b * lookin 9 appropriate session cache or, if not found 

1004. if the action indicates a remote proxy, the packet's destination address is replaced with the address of the 
emote proxy; ,f configured, the destination port can be changed as well; the original packet header data ^^s recorded 
in the session cache along with any changed values; recorded 
1005: the packet is routed to the remote proxy server. 

[0050] Fig. 10B illustrates processing at the remote proxy, subsequent to step 1005, including the following steps: 
1006: the packet is received in the remote proxy server application 
Innl !l 8 rem ° te PrOXy C ° n,aCtS the firewa " for the ori 9 inal session key for the packet 

1008: the remote proxy application uses the original session key to perform its function such as rirnnninn th* 
connection based on its own security model, perform.ng the requesL service, or«JS2t!SiSalS2!l2 

capabilSy P aPP " Cat, ° n C ° maC,S the fireWal1 ° Ver ,he *annel to request dual Section 

101 0; the firewall determines a new destination port number that will guarantee uniqueness of the connection from 
01 1 ,he e re m e ot f " T **" nUmber ^ the Session back to the proxy a PP S"on 

destinatron " ^ ™ ^ 3 C ° nneCti0n from ' se » toThe orlgL, 

1012: the firewall loads a dynamic rule to perform this action- 

™J!n,p'™„ , rr° k ?i SS ° Ci ; 1 ' !d ""' h ,h * "™ " >ssk,n a,e P'<*=«s»« allto. .xcept tha, B.ps too? ana 
Claims 

1. A method for packet validation in a computer network firewall, comprising the steps of: 

storing in a cache a result of applying at least a portion of a rule set to a given packet of a network session- and 
TZn^ZT reSU ' tS 10 PrOC8SS ^ ' eaSt SUbSeqUen ' PaCk6t haVi " 9 a cha^r^ZS^S 

2 ' ^^^ C 5Si. Wh ° n,,n U,Mi2in9 St6P inC ' UdeS UtNiZin9 St ° red reSU ' tS to ^ ™- 'ng for 

3. The method of claim 1 wherein the subsequent packet is from the same network session as the given packet. 

4 22^jr. i:^^^^ usina a k - — - - 

5. An apparatus for use in validating a packet in a firewall of a computer network, comprising: 
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a memory for storing a cache containing a result of applying at least a portion of a rule set to a given packet 

of a network session: and 

a processor coupled to the memory, wherein the processor is operative to utilize the stored results to process 
at least one subsequent packet having a characteristic similar to that of the given packet. 

The apparatus of claim 5 wherein the processor is further operative to utilize the stored results to bypass rule 

processing for the subsequent packet. 

The apparatus of claim 5 wherein the subsequent packet is from the same network session as the given packet. 

The apparatus of claim 5 wherein the processor is further operative to use a session key associated with the 
subsequent packet to retrieve the stored result from the cache. 

A computer system for packet validation in a computer network, comprising means for carrying out each step in 
a method as claimed in any of claims 1 to 4. 

». A computer system for packet validation in a computer network, comprising a processor which is instructed to 
carry out a method as claimed in any of claims 1 to 4. 
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